这段程序是从微软的文件反汇编而得到的,大概意思是得到winlogon的CLIENT_ID,其中有些地方不懂,而且无法转换成C语言。希望哪位高手能指点一二。
sub_2F02B0A3 proc near ; CODE XREF: MSOOBE_DisplayUI+1DBp
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
mov eax, large fs:18h;得到TEB
mov eax, [eax+30h];得到PEB
push ebx
push esi
mov esi, ds:NtQuerySystemInformation
push edi
mov edi, [eax+1D4h];
问题1: edi中是sessionid 吗?
lea eax, [ebp+uBytes]
push eax
xor ebx, ebx
push ebx
push ebx
push 5 ; SystemProcessesAndThreadsInformation
mov [ebp+var_8], ebx
call esi ; NtQuerySystemInformation
push [ebp+uBytes]
push ebx ; uFlags
call ds:LocalAlloc
mov ebx, eax
test ebx, ebx
jz short loc_2F02B133
lea eax, [ebp+uBytes]
push eax
push [ebp+uBytes]
push ebx
push 5
call esi ; NtQuerySystemInformation
test eax, eax
jl short loc_2F02B12C
push offset aWinlogon_exe ; "winlogon.exe"
lea eax, [ebp+var_10]
push eax
call ds:RtlInitUnicodeString
mov esi, ebx
loc_2F02B103: ; CODE XREF: sub_2F02B0A3+81j
push 1
lea eax, [ebp+var_10]
push eax
lea eax, [esi+38h]
push eax
call ds:RtlCompareUnicodeString
test eax, eax
jnz short loc_2F02B11C
cmp [esi+50h], edi;
问题2[esi+50h]是processid还是什么其他的东西
jz short loc_2F02B126
loc_2F02B11C:
mov eax, [esi]
test eax, eax
jz short loc_2F02B12C
add esi, eax
jmp short loc_2F02B103
; ---------------------------------------------------------------------------
loc_2F02B126:
mov eax, [esi+44h]
mov [ebp+var_8], eax
loc_2F02B12C:
push ebx ; hMem
call ds:LocalFree
loc_2F02B133:
mov eax, [ebp+var_8]
pop edi
pop esi
pop ebx
leave
retn
sub_2F02B0A3 endp
我转换成C语言,如下
NtQuerySystemInformation(NT_PROCESSTHREAD_INFO, 0, 0, &ulNeed);
hLMem = (PSYSTEM_PROCESSES)LocalAlloc(LMEM_FIXED, ulNeed);
if(hLMem )
{
if ( NtQuerySystemInformation(NT_PROCESSTHREAD_INFO, hLMem, ulNeed, &ulNeed) >= 0 )
{
RtlInitUnicodeString(&WinLogonUStr, L"winlogon.exe");
p = hLMem;
while ( RtlCompareUnicodeString(&p->ProcessName, &WinLogonUStr, 1) ||processid!=sessionid )//
processid!=sessionid ?问题3:此处不会转换,它到底在判断什么 {
if ( !p->NextEntryDelta )
goto LABEL_9;
p = p + p->NextEntryDelta;
}
pWinLogonID = &(p->Threads[0].ClientId);
}
LABEL_9:
LocalFree(hLMem);
}
return pWinLogonID;
[注意]APP应用上架合规检测服务,协助应用顺利上架!